Massachusetts Privacy Law Requires Safeguards
Credit unions that do business in Massachusetts will have to take extra precautions to ensure that consumer data is protected from identity theft.
That's because on March 1, a new Bay State regulation takes effect that mandates that credit unions and other financial institutions have a written data security plan in place and designate someone responsible for protecting confidential information.
"If credit unions are already complying with the privacy standards set up by the NCUA, they won't have to do more," explained Robert Kimmett, senior vice president of marketing for the Massachusetts Credit Union League.
"We are getting a lot of calls from credit unions making sure they are in compliance, because they want to make sure they are following all the housekeeping requirements."
The regulations define personal information as a Massachusetts resident's first name or initial and last name in addition to one or more of the following pieces of data: Social Security number, driver's license or state-issued identification number, and account or credit-debit card number.
To protect the data, the regulation spells out requirements for a range of technology and data management steps.
These range from a "reasonably secure" method of assigning passwords or using "unique identifier technologies," such as biometrics or token device to detailed description of encryption methodology.
Credit unions have to encrypt documents transmitted over the Internet, or saved on laptops or flash drives. Also, they must have "reasonably up-to-date firewall protection" and "operating system security patches."
They must also have updated security agent software, which provides validation of user identity before it allows network access. This must include protections against malicious software and also must contain virus definitions and operating system security patches.
The credit union must review the security systems in place at least annually or more often if there is a "material change in business practices that may reasonably implicate the security and integrity" of the records.
Also, if there are data breaches, the credit union must document any action it takes to remedy the individual situation and the broader security policy.
Credit unions must perform due diligence to ensure that third parties with access to member data comply with the regulation.
The penalties for noncompliance can be stiff. Violators can be levied a $5,000 civil penalty and may be forced to pay investigation and litigation costs. Also, if a company improperly disposes of data, it can be fined up to $50,000.
To comply with these technological requirements, a credit union can purchase software aimed at securing the data. One such product is the Biscom Delivery Server, a secure file transfer application.